11 Answers
11

The problem with most biometric systems is that they're inherently 'noisy', which requires software to sift through the noise to the true signal. A password is a few bytes where exactness needs to be perfect. A biometric fingerprint, or iris scan, or retina scan, or voice print, all need to have a 'close enough' threshold because biometrics change from day to day or week to week. Defeating such systems takes advantage of the 'close enough' nature of biometric authentication technology.

Because of this, a simple biometric is, in my opinion, less secure than a correctly selected password. And that doesn't even go into implementation details such as signal capture/replay possibilities between the scanner and the authenticator, or easily subverted skin conductivity sensors (lick the paper!).

When used in conjunction with a password, it can enhance security. But as I said, it shouldn't be used instead of a password.

I think this is very likely to be true in a well-disciplined professional environment. However, in many (most?) business environments, passwords are not taken seriously at all: they are routinely left on notes attached to cubicle walls, under keyboards, in desk drawers, etc. Depending on the culture of the organization, administrators may have little or no authority to proactively enforce security policies. It is not difficult to imagine environments where even single-factor fingerprint authentication would deliver greater security than properly selected (but improperly guarded) passwords.
–
SkyhawkOct 10 '10 at 23:14

The security of the scanner likely depends largely on the quality of the hardware. I'm guessing most scanners that come with laptops these days are pretty cheap and not intended for high security situations. Even higher quality scanners meant for door locks aren't impervious to fingerprint duplication. This Mythbusters clip proves as much.

Like Harley said though, multiple challenges are always more secure than a single challenge.

+1 for the clip. That episode debunked a bunch of things for me.
–
Dana the SaneMay 20 '09 at 21:59

Although, keep in mind... in that clip... that was a three day process for them to actually hack the lock. If it's something that's ultra-sensitive and you need good security you're better off using a fingerprint reader that will enable you to require a fingerprint and a password.
–
Brett GFeb 20 '10 at 0:40

Is OS authentication more secure by using fingerprint reader than a (strong) password? Can that be hacked easily?

At one point, it was thought to be so. Since that time, there have been several methods developed to defeat the cheaper versions of these scanners.

If it is used as part of a two-factor or multi-factor authentication process, then I believe it will enhance security by raising the difficulty of entry. Here's someone discussing this.

By the way, where is the fingerprint stored? On the hardware chip or on filesystem?

Typically the filesystem. Many scanners simply turn the impression into a hash that is transmitted to the host PC. Kronos Touch ID is a corporate solution meant for use as a timeclock; it stores the data in a Paradox table(!) as a hash, so it's pretty clear where their profit margins are coming from with this device....

Is that dependent from reader's hardware?

There are many readers, each with their own methods. While I can't speak with any authority on this, it seems that "yes" is a pretty good answer to this question.

Is that dependent from the library/OS implementation?

Again, I think it depends on the type of reader. Some actually transmit more than a hash (the actual fingerprint image), while others don't.

Bruce Schneier wrote a great analysis of biometrics where he explores the positives and negatives of using techniques such as finger-print readers for authentication. He points out that fingerprints are difficult to forge, but they're trivial to steal. Personally, the week I spent locked out of my own server room after I cut my finger badly enough to damage my fingerprint is enough to swear me off fingerprint readers.

Depending on the application and level of security required, biometrics can have a literally fatal flaw. Let's pretend that the bad guys really want whatever's protected by the security system, and are willing to kidnap and/or kill someone to get it.

Is OS authentication more secure by
using fingerprint reader than a
(strong) password? Can that be hacked
easily?

Yes, it's pretty easy to hack off a finger from an authorized person and use that to pass the fingerprint reader. Or, the bad guys may put the person under duress and force them to put their finger on the scanner.

On the other hand, a password system can be set up with one password to give access, and another "duress" password to not only deny access, but also call for help if it's entered.

Personally, I don't work on any system that's so important that I'd want to lose a finger over it. If someone wants in badly enough, I don't even want them to be tempted to take my finger...

How is the fingerprint scanner attached? Does the scanner you are looking at use some kind of encryption between the scanner and computer. If it doesn't what would stop me from inserting a device between your scanner and your computer and then capturing your fingerprint?

You can't really change your fingerprint. If I can capture a fingerprint in a way that I can simply send the same data again and again then your system is broke.

Finger print securiy is based on biometrics where the concept is simple that thumb impressions of all individuals living on this earth are different. The logic is true but it totally depends on the technology you are using if the program or hardware malfunction then it can be risk too.

Having experienced a laptop (HP from memory) where both my fingerprint and that of a co-worker granted access to the same user account I have to say that there can be no absolute yes or no answer. Most implementations I've seen use only a few test points to determine a fingerprint. In my opinion anything less than a couple of dozen points is inadequate for proper security. So, because it's going to depend on the implementation if I had to give a yes or no answer it must be no.